Minecraft RCON Terminal Password Storage Vulnerability in VS Code Extension

A vulnerability exists in the Minecraft RCON Terminal VS Code extension, specifically in versions 0.1.0 prior to 2.0.6. The issue arises from the extension storing RCON passwords in plaintext within the VS Code settings.json file. This creates potential exposure through VS Code's Settings Sync, workspace settings, and local file system access. The vulnerability is rooted in the extension's use of VS Code's configuration API, which does not securely handle sensitive information. The RCON protocol already transmits passwords in plaintext over TCP, but this vulnerability adds an extra layer of risk by improperly storing passwords.

Impact

The vulnerability allows for plaintext storage of sensitive RCON passwords, which could be accessed through the local file system or potentially exposed via version-controlled workspace settings. Additionally, passwords could be synced to the cloud using VS Code's Settings Sync feature.

Remediation

Users can update to version 2.1.0 or later, which addresses the vulnerability by storing passwords securely using VS Code's Secret Storage API. Passwords stored in prior versions will be automatically migrated to the secure storage.